Cybersecurity researchers have discovered unencrypted data of about a million users of Quickfox, a free virtual private network (VPN) service primarily used to access Chinese sites from outside of mainland China.
Commenting on the find, WizCase says that the data exposed a variety of personally identifiable information (PII) of the users of the service, including their names, phone numbers, and more.
“There was no need for a password or login credentials to see this information, and the data was not encrypted. Based on the records exposed, our team estimates that the breach affected at least a million Quickfox users,” writes WizCase.
The security researchers claim that they tried bringing the leak to the attention of Quickfox, but the free VPN provider hasn’t yet responded to their hails.
The data was discovered through a misconfiguration in Quickfox’s ElasticSearch server thanks to incomplete ELK stack security.
The researchers explain that ELK (Elasticsearch, Logstash, and Kibana) are three open source applications that help streamline searches through large files, such as the logs of an online service like Quickfox.
“Quickfox had set up access restrictions from Kibana, but had not set up the same security measures for their Elasticsearch server. This means that anyone with a browser and an internet connection could access Quickfox logs and extract sensitive information on Quickfox users,” explained WizCase.
The total leaked data was made up of over 500 million records and totaled over 100GB. About a million of these records had PII of users, including MD5 hashed passwords, which WizCase claims can’t withstand modern password crackers.
Worryingly however, the leaked data didn’t just contain the IP address assigned to the user, but also the user’s original IP address from which they connected to the VPN service. WizCase was also surprised that the service collects data about the other software installed on the user’s device.